Re: SE_ASSIGNPRIMARYTOKEN_NAME

From: Rhett Gong [MSFT] (v-raygon_at_online.microsoft.com)
Date: 07/28/05 

Date: Thu, 28 Jul 2005 05:51:28 GMT

|>Ok, from what I now understand, there is no natural way to do this. You
|>can't simply call "CreateProcessAsUser()" while impersonating but must
|>instead install a service or perhaps create another administrator account
|>and assign the privilege (all on the fly perhaps) and essentially jump
|>through a lot of hoops to get this all working. Maybe there's a good

Yes, currently we need a service to make it work properly in all windows systems. But you don't need to create another
admin account to do this, just leave it as "local service" should work, since by default, "local service" and "network
service" does have this privilege granted.

|>security reason why administrators lack this privilege by default (which I
|>have yet to understand), but with all due respect, there's something wrong
|>with this picture (i.e., you can't simply launch a program while
|>impersonating an administrator).

This privilege is a very powerful right so by default it is used only by the system.But you can easily grant this privilege to
admin group or an account, please follow this steps:
1> logon as an admin user
2> open "local security policy" from "Administrative Tools" of control panel
3> find "Replace a process level token" from "Local Policies\User Rights Assignment" and double click it
4> then click the "add user or Group.." button to add any admin user/group or other users.

Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.asp&SD=msdn

This posting is provided "AS IS" with no warranties and confers no rights.